*/
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
Sam Thomas is a barrister at 2BR. He is the co-author of Cyber Security: Law and Practice (LexisNexis: 2019) and Blockchain and Cryptocurrency: International Legal and Regulatory Challenges (Bloomsbury: 2019). Sam sits on the Bar Council IT Panel and is Vice Chair of the Association of Regulatory and Disciplinary Lawyers. Sam’s practice encompasses advocacy and advice in cyber compliance and regulatory law, for which he was recognised by Chambers & Partners and the Legal 500, 2021-2023.
On 29 June 2021, The Lawyer reported that 4 New Square Chambers, described by Chambers and Partners as a ‘leading commercial set’, had been the victim of a ransomware attack. The chambers’ website professes a specialism in information technology, illustrating that every set is a potential target for malware regardless of size or expertise. This point was emphasised three days later, on 2 July 2021, when news agencies reported that over 200 American businesses had been subject to a ransomware attack following an incident at a Miami-based IT firm.
So if leading commercial sets and IT firms are vulnerable to attack how should chambers protect themselves from ransomware? The National Cyber Security Centre (NCSC) provides a range of advice and guidance relevant to securing chambers’ systems under their Cyber Essentials programme. Cyber Essentials also provides two forms of certification – Cyber Essentials and Cyber Essentials Plus – which are designed to provide peace of mind that cyber defences are in place to protect against the vast majority of common cyber-attacks.
Whether chambers achieves certification or not, the following five points are vital to ensure that hackers are not simply being invited to walk through an open door:
A firewall is an area between your computer, or computers, and your internet connection in which incoming traffic, whether emails or digital downloads, can be analysed and assessed before being permitted to enter the network.
Firewalls can be placed at various points within a chambers’ network:
Members of chambers should not consider the imposition of firewalls to be a ‘chambers problem’ rather than an issue for each individual. A boundary firewall will generally protect from external threats; however, if a personal laptop has been used, without a firewall, outside of a chambers setting, in particular when accessing public networks or untrusted Wi-Fi connections, then this can represent a risk to the chambers’ network. The NCSC Cyber Essentials Certification requires that all devices are configured to use a firewall.
When you acquire new devices or software check that the security levels are at their highest and not at the default ‘Recommended’. Default configurations are often configured to ensure ease-of-use rather than security. While this may be a benefit for a home computer or tablet that is being used to access music, games or videos, in a professional setting this may not be appropriate.
Passwords must be applied to all devices: computers; laptops; tables and smartphones. Default passwords must be changed, and, whenever possible, ‘strong passwords’ applied.
A strong password will contain upper and lower case letters, numbers, and special characters (@?!), and will contain multiple word combinations. Using multiple word combinations, rather than a single word which includes a special character or number, can be easier to remember, especially when a password needs to be updated regularly, and harder for a hacker to guess. ‘Password1’ which is changed to ‘Password2’ is very insecure, whereas ‘Cartoon-Duck-14-Coffee’ followed by ‘Cartoon-Duck-14-Tea’ is significantly more secure.
Face and touch ID now means that memorising passwords is no longer required but does increase the risk if passwords are insecure.
Where chambers are protecting particular important information, multi-factorial authentication (‘2FA’) should be applied. Microsoft 365 now provides 2FA using smartphones for the second-factorial authentication.
Admin accounts should not be keys to the entire castle. Check what privilege administrators have over a system and reduce access so that the admin accounts only have access to undertake specific administrative tasks.
Any account which requires full access, such as IT professionals or significant employees, must use 2FA authentication to access the account.
Only use software from official sources. The easiest method is to ensure users install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
NCSC Cyber Essentials Certification requires that administrative privileges are only given to those who need them, and that administrator access is controlled. Further, only necessary applications from official sources should be used.
Ransomware falls within the definition of malware, and can be introduced into a network in a variety of ways: through an infected email attachment; by a user browsing a malicious website; or use of a removable storage device, like a USB stick, carrying malware. Educating members of chambers, and staff, is an excellent way to start defending a network. However, the following technical measures should also be put in place:
Cyber Essentials Certification requires the use of at least one of the anti-malware defences listed above.
Many of the most popular applications will update regularly by default. However, this may often require a laptop or computer to restart before the updates are fully implemented. Individuals are encouraged to update and restart as soon as you are prompted. This will improve your machine, and network security; and will also prevent embarrassing updates causing a loss of connection in the middle of remote hearings.
Certification by the NCSC requires that devices, software and applications are kept up-to-date. This may mean updating devices, such as older iPhones, which no longer support the latest software versions.
Following the NCSC Guidance makes a network more secure and acts as a disincentive for a hacker. Why spend hours looking for a way into one network when you could potentially walk straight into another? However, ransomware is a problem that can affect anyone regardless of the size of the organisation, or the caution which is applied. If, like 4 New Square, a chambers is affected by ransomware, applying appropriate measures may assist when reporting a personal data breach to the Information Commissioner.
Further information: The Bar Council recently put out a notice on cybersecurity. The ethical guidance documents provided by the Bar Council’s IT Panel offer help on various data protection and privacy issues.
The beginning of the legal year offers the opportunity for a renewed commitment to justice and the rule of law both at home and abroad
By Louise Crush of Westgate Wealth Management sets out the key steps to your dream property
A centre of excellence for youth justice, the Youth Justice Legal Centre provides specialist training, an advice line and a membership programme
By Kem Kemal of Henry Dannell
By Ashley Friday of AlphaBiolabs
Providing bespoke mortgage and protection solutions for barristers
Joanna Hardy-Susskind speaks to those walking away from the criminal Bar
From a traumatic formative education to exceptional criminal silk – Laurie-Anne Power KC talks about her path to the Bar, pursuit of equality and speaking out against discrimination (not just during Black History Month)
Irresponsible use of AI can lead to serious and embarrassing consequences. Sam Thomas briefs barristers on the five key risks and how to avoid them
Yasmin Ilhan explains the Law Commission’s proposals for a quicker, easier and more effective contempt of court regime
James Onalaja concludes his two-part opinion series
